Reported on Bugtraq: [1]XOOPS 2.2.3 Final arbitrary local inclusion [2]XOOPS WF-Downloads module v 2.05 SQL Injection / Administrative credentials disclousre / Remote commands execution
web-apps please advise.
Nothing upstream afaict, To be confirmed... Also we probably don't provide the WF-Downloads module in Portage.
Vulnerability #1 relies on 'register_globals' set to 'on'. Default installation on Gentoo is to set this to 'off'; however, because the majority of PHP applications are "legacy" applications, many of our users will have changed the default setting of 'register_globals' to 'on'. Workaround is to switch 'register_globals' to 'off'. There's no sign of anything from UPSTREAM yet. We're not vulnerable to the second one; like Koon said, we don't ship the WF-Downloads module. Best regards, Stu
Let's close this one. register_globals=On is evil anyway. Feel free to reopen if you disagree.